Linux Security - The illusion of invulnerability
All environments must be properly protected, as security is a "process" of staying up-to-date, monitoring risks, and following best protective practices.
The illusion of invulnerability (see May 9th)
QUOTE: On Saturday "Linuxtag 2006" closed in Wiesbaden (Germany). According to the organisers, it’s Europe's
biggest Linux Expo. At the Kaspersky stand we talked to a lot of visitors. Pretty soon, it dawned on us exactly what the biggest threat to Linux systems is: the almost overwhelming belief in the invulnerability of Linux.
Nearly every visitor accepts the need to protect Windows against malicious code (although even at a Linux fair you find people believing that a firewall is all you need to keep viruses and worms away). But many people we spoke to were unable to think of Linux as potentially vulnerable; after all, they argued, a Linux user would never go online with root rights as typical Windows XP home users do. But such thinking overlooks some important facts:
- You don’t need to have root privileges to delete a user’s home directory of a user or access his personal data - you only need to run malicious code with user privileges. (And not every user makes daily backups which could mitigate the potential damage.)
- The number of new malicious programs for an operating system isn’t related to the number of known security flaws, but to the number of installations. In Germany, the number of Linux distributions installed is growing rapidly, and overall, the number of malicious programs for Linux more than doubled between 2004 and 2005).
*Nix Malware Doubles
- To access a system, a virus writer doesn’t need 300 vulnerabilities - one is enough.
- Vulnerabilities exist prior to their being identified by the developers who report them. Virus writers actively search for vulnerabilities, but keep their discoveries to themselves.
- Only a perfect system can offer perfect security. In his "Areas for Improvement in the 2.6 Kernel Development Process" Andrew Morton (lead maintainer of the Linux production kernel) pointed out that the number of new bugs in the current 2.6 kernel are causing concern, and might lead to the development process being halted until existing problems are fixed.